2
Copyright (c) 2003, University of Wisconsin Board of Regents 2 Why are We Doing This? The HIPAA security regulation requires risk assessment. UW-Madison policy developed by the HIPAA Task Force, requires that each unit of the HCC do a risk assessment inventory as part of the process of submitting a migration plan to the HIPAA Security Officer by October 14th, 2003.

3
Copyright (c) 2003, University of Wisconsin Board of Regents 3 Who Developed It? The UW-Madison HIPAA Task Force has a Security Committee. The Security Committee appointed a risk assessment subcommittee to develop guidance for the units of the HCC. DoIT provided staff resources to assist that subcommittee in building the spreadsheet and related documents, such as this presentation.

4
Copyright (c) 2003, University of Wisconsin Board of Regents 4 Contents of the Packet The Presentation The Risk Assessment Inventory workbook FAQ for the RA Inventory List of HCC Unit Security Coordinators

8
Copyright (c) 2003, University of Wisconsin Board of Regents 8 The Model In the model we’ve created for the HIPAA Risk Assessment Inventory, a unit of the HCC has: Technical Assets, Physical Sites, and Administrative Subunits.

10
Copyright (c) 2003, University of Wisconsin Board of Regents 10 It almost works... The way the regulation is written: there are quite a number of Administrative and Physical Safeguards that apply to individual technical assets. there are a few Technical Safeguards that apply to physical sites.

11
Copyright (c) 2003, University of Wisconsin Board of Regents 11 Diagram of the Model

12
Copyright (c) 2003, University of Wisconsin Board of Regents 12 The Unit of the HCC Examples: Medical School School of Nursing Hygiene Lab

13
Copyright (c) 2003, University of Wisconsin Board of Regents 13 Technical Assets A computer system A network device A workstation A peripheral A portable device (any type) An application

14
Copyright (c) 2003, University of Wisconsin Board of Regents 14 Safeguards that Apply to Individual Technical Assets All Technical Safeguards, in most cases. All Physical Safeguards, in many cases. Most Administrative Safeguards, except those under: –Security Management Process, and –Assigned Security Responsibility. These represent broad administrative or human resource activities, which are not specific to an individual technical asset.

15
Copyright (c) 2003, University of Wisconsin Board of Regents 15 A Technical Asset is Owned and operated by one or more Administrative Subunits –Some assets are shared by multiple subunits, so there may be overlap of sysadmins and users. Located at one or more Physical Sites –Some assets such as networks and application are distributed among multiple physical sites.

17
Copyright (c) 2003, University of Wisconsin Board of Regents 17 Safeguards that Apply to Each Administrative Subunit No Technical Safeguards, No Physical Safeguards, All Administrative Safeguards, (as one might expect.)

18
Copyright (c) 2003, University of Wisconsin Board of Regents 18 Physical Sites A building complex, A single building, A wing or a floor Rooms scattered about a building or complex, or An isolated room with unique security needs. Key thoughts: are typically isolated from each other, and have differing security issues.

19
Copyright (c) 2003, University of Wisconsin Board of Regents 19 Safeguards that Apply to Physical Sites A few Technical Safeguards, related to: –Emergency Access (can we get in?), –Auditing (who has been there?) –Authentication (are they who we think they are?) All Physical Safeguards (as one might expect) No Administrative Safeguards (but please don’t forget physical access and security when writing the administrative policies and procedures!)

21
Copyright (c) 2003, University of Wisconsin Board of Regents 21 Step 1: Inventory Make lists (don’t assess risks yet!) This is where you start to fill in the four sheets of the Risk Assessment Inventory, numbered I. through IV. Details of those four sheets are covered later in the presentation.

22
Copyright (c) 2003, University of Wisconsin Board of Regents 22 Step 2: Establish a Team Suggestion: Have IT, HR, and Management representatives.

23
Copyright (c) 2003, University of Wisconsin Board of Regents 23 Step 3: Score Risks Suggestion: Use a scale of A, B, C, D, & F where A (excellent) is low risk and F is high risk.

24
Copyright (c) 2003, University of Wisconsin Board of Regents 24 Where to concentrate Risk associated with all applicable safeguards should be assessed, but spend the most time and attention on the required safeguards. The 'HIPAA Security Regs' sheet in this workbook includes a possible grading scale for each required safeguard.

25
Copyright (c) 2003, University of Wisconsin Board of Regents 25 Descriptive Narrative The narrative should explain “why”. Why were those physical sites and those administrative subunits were selected. Why were various technical assets grouped together. Why were particular scores given for key assets, especially when the score was an “A”, “D” or “F”

26
Copyright (c) 2003, University of Wisconsin Board of Regents 26 Comments in Cells To shorten the narrative, comments may be added to the cells of sheets II. through IV. When the inventory is printed, the comments will follow each sheet.

27
Copyright (c) 2003, University of Wisconsin Board of Regents 27 Step 4: Prioritize Risks Not all D's and F's are equally important. Take into account the cost of intervention and the business impact of loss of confidentiality, integrity, or availability of data. Add the results from the prioritization to the descriptive narrative.

28
Copyright (c) 2003, University of Wisconsin Board of Regents 28 Step 5: Deliver If you’re doing the risk assessment inventory for a subunit, deliver it to your Security Coordinator by October 1st. Security Coordinators should deliver the unit’s migration plan (and the accompanying risk assessment inventory) to the Security Officer by October 14th. These dates are subject to change. Take them seriously, (we need to do this!) but stay tuned.

31
Copyright (c) 2003, University of Wisconsin Board of Regents 31 Fields on the Template Sheets The instructions primarily describe the fields for the sheet ‘II. Tech Assets’. The others sheets are simpler, and are covered as additional notes in the description of each field.

33
Copyright (c) 2003, University of Wisconsin Board of Regents 33 The ‘I. HCC Unit’ sheet is simply a place to enter: the name of the Unit of the HCC, the name of each physical site, the name of each administrative subunit. The names are carried forward onto sheets II. through IV. If you discover that you have more sites and subunits than is provided for, please contact me and I will produce an expanded version for you. I. HCC Unit

35
Copyright (c) 2003, University of Wisconsin Board of Regents 35 HIPAA provisions across. Technical Assets Risk Scores Within down. It is OK to group technical assets together, for example: all office productivity workstations, all network switches, etc. Refer back to the ‘Instructions’ sheet, where the fields are described in some detail. Refer forward to the ‘HIPAA Security Reg’ sheet, where the regulation and some grading scales are summarized. II. Tech Assets

37
Copyright (c) 2003, University of Wisconsin Board of Regents 37 Stores or processes PHI? (Y/N) Other critical or sensitive data? (Y/N) What about technical assets that have neither? They can still pose a risk to assets that do have PHI and other critical or sensitive data. Internal or external to firewall? (I/E) By default, a portable device is considered external to the firewall. II. Tech Assets Descriptive Information (cont.)

38
Copyright (c) 2003, University of Wisconsin Board of Regents 38 Required and Addressable Safeguards These are indicated with an (R) or (A). The required safeguards are ‘greyed out’ so they are easily visible on the sheet. While you need to score all safeguards, the ones to do first and to spend the most time on are the required safeguards.

39
Copyright (c) 2003, University of Wisconsin Board of Regents 39 Required Safeguards (R) These must be implemented, (unless not applicable to the technical asset). The degree of implementation and the particular method of implementation are, for the most part, not specified in the regulation. That was deliberate, because circumstances vary and technology changes.

40
Copyright (c) 2003, University of Wisconsin Board of Regents 40 Addressable Safeguards (A) Consider the extent to which the implementation specification applies. If it is not applicable, give it an ‘n/a’. If you are already doing what is “reasonable and appropriate” give it an ‘A’. Otherwise grade it according to the degree to which improvement is needed to meet the standard of “reasonable and appropriate”. Note that “reasonable and appropriate” implicitly includes all the elements of risk: threats, vulnerabilities and value.

41
Copyright (c) 2003, University of Wisconsin Board of Regents 41 What is Risk? We are scoring risk, not just the degree of compliance -- an important distinction. Risk = Threats * Vulnerabilities * Value If we are all exposed to roughly the same threats, and if all PHI has roughly the same value, then vulnerabilities is the most variable factor, and non- compliance with the regulation (i.e. best practices) is an excellent measure of vulnerability. However, threats and value do vary, so it is important to consider them when assessing risk.

42
Copyright (c) 2003, University of Wisconsin Board of Regents 42 Default Values –Nearly all are ‘n/a’. –They are based on Asset Category. –The formula is present in each cell, simply overwrite it with the actual data. –A default value is only provided where that the value is appropriate most of the time. –Feel free to over-ride the default. –You can change default values at the bottom of the sheet (not visible on the printed copy).

43
Copyright (c) 2003, University of Wisconsin Board of Regents 43 Color Coding The color coding is for convenience only: –‘A’ is Green –‘B’ and ‘C’ are Yellow –‘D’ and ‘F’ are Red

44
Copyright (c) 2003, University of Wisconsin Board of Regents 44 II. Tech Assets: What is being scored? For Administrative and Physical Safeguards, the risk is related to the degree to which the individual technical asset is included or accounted for in the policies and procedures of the each Administrative or Physical Safeguard. Think: ‘inclusion in policies and procedures’. For Technical Safeguards, the risk is related to the degree to which each Technical Safeguard is directly implemented on each individual technical asset.

47
Copyright (c) 2003, University of Wisconsin Board of Regents 47 III. Phys Site(s): What is being scored? –For the Physical Safeguards, risk is mitigated primarily by the physical security of the site, and not the security of individual technical assets. –For the Technical Safeguards, risk is mitigated by the policies and procedures related to the access, auditing, and authentication of persons who are physically entering or within the site. –Workstation Use and Workstation Security are exceptions...

48
Copyright (c) 2003, University of Wisconsin Board of Regents 48 III. Phys Site(s) Workstation Use and Security Workstation Use, includes a strong component of appropriate use of the workstation, as well as physical security. Workstation Security includes any physical measures to restrict access to authorized users. The need for such measures will vary with the degree of physical exposure of the workstation at the site. (For example: a workstation in a public area vs. one in a locked office.)

52
Copyright (c) 2003, University of Wisconsin Board of Regents 52 IV. Admin Subunit(s) What is being scored? Administrative Safeguards are about: Various types of assessment and evaluation. Policies and procedures: –Writing them, –Implementing them, –Testing and revising them. Contracting for services.

53
Copyright (c) 2003, University of Wisconsin Board of Regents 53 IV. Admin Unit(s): What is being scored? There is risk associated with not doing assessment and evaluation, and not having policies and procedures that are adequate, implemented, and up-to-date. Score the extent to which risk has been mitigated by the required safeguards, or the reasonable and appropriate level of activity within each addressable safeguard.

54
Copyright (c) 2003, University of Wisconsin Board of Regents 54 HIPAA Security Regulation (Handout, pages 9-12: ‘HIPAA Security Reg’ sheet) This is a summary of the regulation, with language taken for the most part directly from the regulation. The definitions from the regulation of required and addressable safeguards are included at the bottom of each section. A possible grading scale for each required safeguard is included in the rightmost column. That grading scale is NOT part of the regulation! It is just a suggestion, to give folks a starting point.

55
Copyright (c) 2003, University of Wisconsin Board of Regents 55 HIPAA Security Regulation... For addressable safeguards, the reasonable and appropriate tests apply. This makes it very difficult to suggest a consistent grading scale for such safeguards. To complete the risk assessment, you will need to understand the security regulation at least to the extent presented in this section of the template. It is as abbreviated as practical. You also need to review the UW-Madison policy relevant to the various Safeguards. See:

56
Copyright (c) 2003, University of Wisconsin Board of Regents 56 What does the regulation mean? A PDF and text copy of the final Security Regulation from the Federal Register can be found at: There are 49 PDF pages in the files. These correspond to “pages” in the Federal Register. The regulation text itself begins on “page” “Comments” on the proposed regulation and “responses” from the regulators start on page The “responses” answer many questions, but you do need to dig a little to find the relevant comments. Try searching for keywords.

57
Copyright (c) 2003, University of Wisconsin Board of Regents 57 Files The files are located at: Files are: –The excel workbook containing the template for the HIPAA Risk Assessment Inventory. –This presentation. –The FAQ for the Risk Assessment Inventory. –The 5/30/2003 list of Unit Security Coordinators There are also links and contacts on that page.

58
Copyright (c) 2003, University of Wisconsin Board of Regents 58 Questions? For questions about the interpretation of the security regulation or UW-Madison policy, please contact your Security Coordinator. Security Coordinators should contact the Security Officer. For questions about the template or other files, (not the interpretation of the regulation please!), contact me at: or